[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] PSKC file locking
|
From: |
Simon Josefsson |
|
Subject: |
Re: [OATH-Toolkit-help] PSKC file locking |
|
Date: |
Thu, 14 Aug 2014 16:54:44 +0200 |
You wrote:
> On Thu, 2014-08-14 at 13:31 +0200, Simon Josefsson wrote:
> > First let's take a step. Why do you want to increment the counter
> > and save it back to the same file, in a concurrent-safe way? Are
> > you using the PSKC file as the "live" database format in some
> > application?
>
> Yes. Sorry, I should have made it clear that this I'm looking at the
> *client* side.
>
> The OpenConnect VPN client can automatically fill in password fields
> with tokencodes from RSA SecurID, TOTP and HOTP tokens:
> http://www.infradead.org/openconnect/token.html
>
> For SecurID and TOTP it's fairly simple as the token data are
> read-only. But with HOTP we need to increment the counter. Hence the
> requirement for writing it back to the file, with appropriate locking
> in case there are multiple concurrent users of the token.
Ok now the use-case is clearer to me.
Would it make sense to import the PSKC data into another file instead,
before you can use it? Or alternatively, maintain another data store
for the counters, and search through that data store using the
identifying information from the PSKC file? Maybe a
~/.openconnect/token-FOO-counter file that is updating with the
counter, where FOO is replaced by token serial or something?
PSKC was intended for transportation, so it isn't ideal for this kind
of read-write-cycles. But since this is outside of oath-toolkit, it
is fine to do this if you want to -- for locking, you could use code
similar to what's liboath's usersfile.c, that appears to deal with
potential concurrent-read/write's and I don't recall issues in this
area.
/Simon